If you’ve ever met a member of our lovely team in person, had a look at our website or even read around a bit online, you will have come across the term PEN testing. PEN testing is something many cyber security experts will perform at the beginning of your engagement, but do you really know what it is, and why we do it? In this blog, we will look into exactly what a PEN test is (and what it isn’t), and some of the reasons why different businesses might choose to have a PEN test. We will share some important things to consider when choosing a partner to do your PEN test.
What Is A PEN Test?
Penetration testing, also known as PEN testing, is the practice of actively trying to uncover and exploit vulnerabilities within a business’s cyber-security system. PEN testing goes one step beyond a vulnerability scan or a compliance audit, which simply look at the top level and discover vulnerabilities. Instead PEN testing is used to demonstrate how real world attackers could enter and misuse systems. A PEN test often involves using a series of automated tools and process frameworks in conjunction with a human tester, who will be able to think creatively and expose any gaps, however small, in your security network. This combination of technology and humans is used because real world hackers will use automated tools to do a lot of the work for them, but will also have the wherewithal and wit to think outside the box and come up with creative ways to get around your defences. PEN tests will be done multiple times to try and find as many weak points as possible over a period of time, exposing any time-sensitivities you may have. Ultimately, a PEN test is designed to give businesses a way to test the effectiveness of their security measures against real world attacks, instead of theoretical ones.
What Are The Benefits Of PEN Testing?
There are a number of reasons business owners might want to invest in penetration testing depending on the size, purpose and vulnerability of their business. A few common reasons are:
- To determine the likelihood of attack from certain angles.
- To test new security systems for vulnerabilities before they go live.
- Assessing the magnitude of any potential business or operations failures as a result of a cyber attack.
- Testing the ability of their network defenders to spot and repel a cyber attack quickly.
- Providing evidence to support increased cyber-security investments or proof of increased efforts to repel a cyber attack.
- After a cyber-attack; to determine how exactly the attackers got in, in order to shore up your defences.
Of course, there are many more reasons you might want to enlist a PEN testing expert, but these are the main reasons we often see. Defining the purpose for the PEN test will largely depend on the drivers for the individual business, and each PEN test will be conducted slightly differently.
What To Ask Before A PEN Test
While choosing a partner to conduct your PEN test, trust and knowledge will have a huge part to play. So the most important thing to do is hire a company who have a long and proven history of conducting successful PEN tests. You need a team of people with experience and a variety of skills and tools to do the job properly. PEN testing is an inherently risky process, so make sure you meet the team beforehand and that you feel comfortable with them and their certifications. This is why many business owners will select their PEN testing partners based on recommendations. You also need to make sure that they understand the scope of work and what you are trying to achieve with the PEN test, as this will help them target your business in the right way and expose any weaknesses there. Additionally you want to know if the testers will make any recommendations after the PEN test is complete, to give you some actionable points to improve your security. Those firms that simply provide you with a report are not going to be as useful or valuable to your business.
At Bridewell Consulting, we provide a wide range of security testing services, including intensive penetration testing. Our experts are highly skilled and experienced in arranging, planning and conducting extensive PEN tests for all types of businesses. Holding recognised technical certifications such as OSCP, CREST and Tiger, you can be sure that your testing is always being done by an expert. For more information on penetration testing for your business, or to arrange your PEN test, just get in touch with the team today.